From 0bab5ee5adaff148d1c0f96ca86597404d972243 Mon Sep 17 00:00:00 2001 From: WanLinghao Date: Mon, 26 Nov 2018 13:13:18 +0800 Subject: [PATCH] Currently the root-ca-cert-publisher was shadowed by BoundServiceAccountTokenVolume feature gate. But its corresponding bootstrap RBAC policy was shadowed by TokenRequest feature gate. This patch fix it. --- .../rbac/bootstrappolicy/controller_policy.go | 2 +- .../testdata/controller-role-bindings.yaml | 17 ------------- .../testdata/controller-roles.yaml | 25 ------------------- 3 files changed, 1 insertion(+), 43 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index b20c927d0a..71485bc986 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -353,7 +353,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) }) } - if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { + if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"}, Rules: []rbacv1.PolicyRule{ diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 4f259b1681..6d5cb73e50 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -357,23 +357,6 @@ items: - kind: ServiceAccount name: resourcequota-controller namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:root-ca-cert-publisher - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:root-ca-cert-publisher - subjects: - - kind: ServiceAccount - name: root-ca-cert-publisher - namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index a853a9d9e9..3344def7c2 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -1031,31 +1031,6 @@ items: - create - patch - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:root-ca-cert-publisher - rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: